Ownership should sit with the business and site leaders who understand operational need, with security enforcing the control and HR providing the authoritative employment signal. That split keeps recertification tied to real-world job function rather than leaving it as an administrative task inside facilities or IT.
Why This Matters for Security Teams
Physical access recertification looks administrative until a badge, door group, or shared facility exception outlives the role that justified it. The control only works when ownership follows operational reality: the manager or site leader knows whether access is still needed, security defines the control standard, and HR provides the employment signal. That is the same pattern NHIMG sees in identity governance more broadly, where access reviews fail when they are treated as paperwork instead of authoritative decisions. The Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, a reminder that stale entitlement is a structural risk, not a rare exception.
Security teams often get this wrong by assigning recertification to facilities or IT because those teams administer badge systems, not because they understand ongoing business need. That creates weak attestations, delayed removals, and a false sense of control. The right owner must be able to answer a simple question at review time: does this person still need physical access to this location, at this level, for this purpose? The issue is visible in incidents like the Sisense breach, where identity and access governance failures can have real-world consequences beyond the badge reader itself. In practice, many security teams discover over-privileged physical access only after an employee changes role, leaves a site, or is already on the wrong side of an audit finding.
How It Works in Practice
Ownership should be split by function, not by system administration. Business and site leaders should attest to need, security should define frequency, evidence requirements, and exception handling, and HR should feed authoritative joiner-mover-leaver events. That division keeps the review anchored to current job function while preserving a clear control owner. For physical access, the recertification record should show who approved, what location or zone was reviewed, when the access was last used, and whether the account or badge was removed, suspended, or narrowed.
A workable process usually includes:
- HR triggers a review when employment status, manager, or site assignment changes.
- The business owner validates operational need for each location or restricted zone.
- Security enforces deadlines, escalation, and removal for non-response or denial.
- Facilities or badge system administrators execute the change, but do not own the decision.
- Exceptions are time-bound, documented, and reviewed again before expiry.
This model aligns with the broader access-control guidance in the OWASP Non-Human Identity Top 10, especially the principle that entitlement lifecycle must be continuously governed rather than assumed valid. It also mirrors NHIMG guidance that identity sprawl becomes dangerous when review ownership sits with the wrong operational layer, as discussed in the Ultimate Guide to NHIs — Key Challenges and Risks. Where organisations need extra rigor, they should tie physical access recertification to role-based location mappings and require managers to justify any access that does not match the employee’s current site or shift. These controls tend to break down in multi-site operations with contractors and shared badges because no single manager feels accountable for the access footprint.
Common Variations and Edge Cases
Tighter recertification often increases coordination overhead, so organisations have to balance faster removal against the time it takes leaders to attest accurately. That tradeoff becomes most visible in environments with remote workers, shift-based plants, clean rooms, labs, or co-managed office space. In those settings, the answer to “who owns it?” can vary by zone: the site leader may own the attestation for the building, while a department head owns access to a controlled area, and security owns the escalation path.
There is no universal standard for this yet, but current guidance suggests the ownership model should match the risk of the area, the sensitivity of the materials, and the speed at which access becomes unsafe if it is stale. Temporary badges, visitor access, and emergency override lists need shorter review cycles and stricter expiry than standard employee access. The most common failure mode is allowing facilities to “clean up” the badge list after the fact without a business sign-off, which turns recertification into inventory management instead of risk governance. NHIMG’s broader breach analysis in the 52 NHI Breaches Analysis reinforces the same lesson: access that is not actively revalidated tends to persist until something forces removal.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-04 | Access permissions should be reviewed and updated when roles or need change. |
| NIST SP 800-63 | Identity proofing and lifecycle signals support authoritative recertification decisions. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle governance applies to physical access as an entitlement that must not remain stale. |
Assign business owners to attest physical access need and remove access when role context changes.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
